As part of our ongoing commitment to enhance the overall security of the crypto ecosystem, we’re informing the crypto community that we have patched an isolated bug in our deposit and funding systems. No client assets were impacted or vulnerable leading up to this disclosure. Kraken has fixed the bug.
The bug was initially discovered by a third-party security research company who had exploited the flaw for financial gain before reporting it to Kraken’s Bug Bounty program. This flaw allowed certain users, for a short period of time, to artificially increase the value of their Kraken account balance without fully completing a deposit.
On discovery, a cross-functional effort at Kraken mitigated the issue in less than an hour. We then thoroughly tested the solution to guard against similar issues in the future.
Unfortunately, the third-party researchers that discovered the bug acted in bad faith and outside the rules of our established Bug Bounty program, which has been in operation for nearly a decade. Bug bounty program industry best practices generally involve careful collaboration between both parties, with security researchers expected to:
- Exploit only what is needed to prove a security vulnerability
- Promptly return assets that have been extracted
- Provide details of testing, such as proof-of-concept code, that allows the company to assist with the identification and remediation of the underlying flaw
We won’t be crediting the researcher of this disclosure because they didn’t comply with any of these industry expectations.
In return for bug bounty reports, developers like Kraken are expected to be attentive, patch the underlying issue quickly and publicly recognize the incredible work of the researcher. Most importantly, they’re also expected to reward the researcher with a generous bounty. We actively moved to hold up our side of this deal.
Security research is nothing new for Kraken, which has deep roots in the info-sec industry. Our Kraken Security Labs team has a track record of discovering and reporting security vulnerabilities to other crypto vendors, including Ledger and Trezor, to help them improve their products.
We understand the value that external security research can bring and how it can enhance the broader ecosystem. There’s simply no better way to secure all users on the crypto frontier than to work collaboratively.
“As a leader with roots in the hacking community, I can attest to the importance of leveraging the skills, knowledge and expertise across the security community to enhance companies’ security strategies and risk management controls,” said Nick Percoco, Kraken Chief Security Officer.
We see our Bug Bounty program as a vital shield to Kraken’s mission and a key part of our efforts to enhance our overall security systems and processes. We have worked with many talented, good faith security researchers over the years, and look forward to continuing this work in the future.
These materials are for general information purposes only and are not investment advice or a recommendation or solicitation to buy, sell, stake, or hold any cryptoasset or to engage in any specific trading strategy. Kraken makes no representation or warranty of any kind, express or implied, as to the accuracy, completeness, timeliness, suitability or validity of any such information and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Kraken does not and will not work to increase or decrease the price of any particular cryptoasset it makes available. Some crypto products and markets are unregulated, and you may not be protected by government compensation and/or regulatory protection schemes. The unpredictable nature of the cryptoasset markets can lead to loss of funds. Tax may be payable on any return and/or on any increase in the value of your cryptoassets and you should seek independent advice on your taxation position. Geographic restrictions may apply.